Rewired by Ellis Ryan.;Mohan Vivek K.; & Vivek Mohan

Author:Ellis, Ryan.;Mohan, Vivek K.; & Vivek Mohan [Неизв.]
Language: eng
Format: epub
ISBN: 9781119085171
Publisher: John Wiley & Sons, Inc.
Published: 2019-05-07T00:00:00+00:00

9.2 The Conficker Infection

On 23 October 2008, during the eighth annual meeting of the International Botnet Task Force, Microsoft released an out‐of‐band emergency security patch. The patch fixed a Windows vulnerability that could allow malware to spread between unprotected machines without any user interaction.6 While releasing an emergency patch cast a spotlight on the vulnerability, Microsoft had already seen the flaw exploited in the wild. On 22 November a month after the patch's release, a new piece of highly contagious malware – the Conficker worm – was first detected. In response, Microsoft issued a security alert recommending that people immediately patch their systems.

For the most part, Conficker A (as it would come to be called) simply hid in a computer's background activity. When it was time to call home for instructions, however, the worm would contact 250 pseudorandomly generated domains spread out across 5 TLDs. Behind any of those domains, the creators of the worm could be waiting to issue commands. A few weeks later, a more sophisticated variant called Conficker B appeared; this variant could propagate via thumb drives, disable Windows Automatic Update, block certain DNS look‐ups, and call domains from eight TLDs.7 While these strategies were not new, it was unusual for so many features to be packed into a single piece of malware. More than one researcher described it as “elegant.”8 By the end of 2008, SRI International estimated that between 1 and 1.5 million computers were infected.9 Over the next five months, three additional versions of the worm would be introduced. At its peak in 2009, the Conficker botnet grew to between 5 and 13 million machines.10

While Microsoft's release of an emergency patch signaled that the vulnerability was particularly dangerous, in general, the cybersecurity community was slow to recognize the scope of the problem. While the worm was discussed with increased frequency on a number of cybersecurity e‐mail lists in late 2008,11 there was little organized activity within the private sector to control the spread of the worm until early 2009. Governments, meanwhile, were entirely absent from the discussion. The security firm Qualys estimated that two months after the emergency patch was released, 30% of computers running Windows remained unpatched.12

A small number of security experts, who would later call themselves the CWG, did notice that Conficker threatened the internet at large. Shortly after the worm's appearance, they began to study the worm and devise ways to control it. Early members of the all‐volunteer CWG, many of who knew each other from conferences and social media, included representatives of Microsoft, SRI International, and several companies that managed TLDs, as well as a number of independent security researchers and academics. Relatively quickly, they discovered that the domain names which could be used for command and control communications were not random. By running the domain name generation algorithm for a future date, the group could identify the domains that would be called and register the names themselves (often with personal credit cards) before the worm's creators could use them for passing the botnet instructions.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.